Escrow the personal recovery key for the encrypted macOS device

Due to restrictions set by Apple, the escrowing personal recovery key with LogMeIn Resolve MDM works only during encryption. This means that escrowing the personal recovery key on an already encrypted macOS device requires some additional steps.

After deploying the FileVault configuration profile, access the encrypted macOS device and perform either one of the following:

Change the recovery key
Disable FileVault

You can find the detailed procedures in the following subsections.

Change the recovery key

Before you begin:

Note: You need to have administrator privileges to perform this procedure.

Open the Terminal on the macOS device.
Run the following command:
sudo fdesetup changerecovery -personal
Enter the username and password.
Result: The new FileVault recovery key is shown.
Log in to the LogMeIn Resolve MDM console.
Select Devices, and after that select the device in question.
From the Actions menu, select Sync now.

Disable FileVault

Before you begin:

Note: You need to have administrator privileges to perform this procedure.

Open the Terminal on the macOS device.
Run the following command:
sudo fdesetup disable
Enter the username and password.

Alternatively, you can perform steps 1 – 3 also from the macOS settings: System settings > Privacy & Security > FileVault.
Log out from the macOS device.
Log in to the macOS device.

FileVault is enabled automatically, and a new recovery key is generated. Wait for the process to complete.
Log in to the LogMeIn Resolve MDM console.
Select Devices, and after that select the device in question.
From the Actions menu, select Sync now.

Results: With both options, the last step causes the new recovery key to be collected and stored to LogMeIn Resolve MDM.

Note: After selecting Sync now, it takes a while before the recovery key becomes visible.

Article last updated: 3 March, 2025